Since this month marks the 10th anniversary of the 9/11 attacks, I am devoting most of this issue of the newsletter to aviation security issues. Several thoughtful studies have been released recently, assessing improvements made since then and challenges remaining in aviation security.

The co-chairs of the 9/11 Commission, former New Jersey Gov. Thomas Kean and former Rep. Lee Hamilton, released a report August 30th called Tenth Anniversary Report Card: the Status of 9/11 Commission Recommendations. The report takes a broad-brush approach, with transportation security getting only two of the report's 24 pages. Its main recommendation in this area is for beefed-up efforts to detect explosives on passengers at checkpoints-a task that is likely not possible to achieve without far more intrusive techniques than today's body scanners. Missing altogether from this discussion is the larger question of moving toward a far more risk-based approach.

By contrast, a more detailed and thoughtful overview is offered by the new RAND Corporation book, The Long Shadow of 9/11, edited by Brian Michael Jenkins and John Paul Godges. It covers a wide variety of terrorism-response and homeland security issues, but from a better-informed and more-sophisticated perspective than most such overviews. Especially recommended is Jack Riley's chapter, "Flight of Fancy? Air Passenger Security Since 9/11," which offers a seriously risk-based perspective.

And on September 7th, Comptroller General Gene Dodaro testified before the Senate Homeland Security and Governmental Affairs Committee on "Progress Made and Work Remaining in Implementing Homeland Security Missions 10 Years After 9/ll." (GAO-11-919T, available on the GAO website). On aviation security, it gives the TSA credit for implementing the Secure Flight program for better pre-screening of passengers and for implementing more-professional passenger and baggage screening than existed at the time of 9/11. But it faults TSA for not adopting a risk-based strategy or using cost-benefit analysis, repeats its earlier findings about the potential ineffectiveness of body scanners, reminds us that TSA has still not validated the science underlying its Behavior Detection Officers program, and notes also that there is still no plan to deploy improved checkedbaggage screening technology in response to current explosive detection requirements.

And yet despite these serious concerns, the previous day the Senate Appropriations Committee's homeland security subcommittee approved an increase in TSA's budget for FY 2012 that would enable TSA to buy an additional 275 body scanners and add another 174 Behavior Detection Officers. If we had anything like a risk-based and evidence-based approach, the BDO program would be suspended until TSA could provide a rigorous justification of its cost-effectiveness, and body scanners would be used only for secondary screening of high-risk passengers-in which case, no more would need to be procured.

I'm also dismayed that after 10 years, there is still no serious discussion of eliminating the serious structural flaw that was built into TSA by the original 2001 ATSA legislation: the agency's conflict of interest between being the aviation security regulator and also being the provider of nearly all passenger and baggage screening. No other developed western country combines those functions in a single entity. In nearly every case, a national government body sets aviation security policy and regulates airlines, airports, and the providers of both equipment and services (such as checkpoint screening). Only in the United States does the airport screening provider regulate itself. That is bad policy and bad governance.

Did Airport Screening Fail on 9/11?

Sensationalist news reports on a lawsuit about security screening at Boston's Logan Airport are reviving a myth about pre-9/11 airport security: namely, that the terrorists got onto the planes because of the poor quality of airline-hired screening contractors. The Bavis family, whose Mark Bavis died on United 175 out of BOS, has filed a wrongful death suit against United, its screening contractor Huntleigh USA, and Massport, the owner/operator of BOS. Clueless Boston Herald reporter Joe Dwinell described the screening shortcomings-poor English skills of some screeners, their manager being unaware of a federal security alert that Osama bin Laden's network was targeting U.S. aviation, etc.-as "catastrophic failings." U.S. District Judge Alvin Hellerstein dismissed Massport as a defendant on July 27th, but United and Huntleigh will face these allegations when the trial begins in November.

Thus, it's important that we understand who was and was not at fault on Sept. 11, 2001. It's quite true that the quality of airport passenger screening at the time was poor. As far back as 1987 the GAO recommended that performance standards for screening be established, but the FAA-which was in charge of airport security until the creation of TSA-did nothing. By 1996, Congress required FAA to "certify companies providing security screening and to improve the training and testing of security screeners through development of uniform performance standards for providing security screening services." The FAA finally got around to issuing a proposed rule in January 2000, which would have held the companies to minimum performance standards. With the rule still not finalized by November 2000, Congress ordered the FAA to issue the final rule by May 31, 2001.When FAA failed to meet that deadline, Congress required the agency to report twice a year on each missed statutory deadline. By Sept. 11, 2001, there were still no certification or performance standards in effect.

As Patrick Smith (of "Ask the Pilot" at Salon.com) wrote recently, "If Bavis insists on suing, she ought to be filing against the U.S. government. The 9/11 plot was always a stone's throw from being infiltrated, and it's possible the attacks would never have taken place if not for a lack of cooperation and the power games going on at the time between the FBI and CIA. A number of the hijackers, including Mohammad Atta, were known to both agencies and were under prior surveillance. The FBI sensed they were up to something but did not know where they were. The CIA knew their whereabouts, but did not share this knowledge in time. That, not some hapless security guard at Logan, is what allowed the scheme to unfold."

Not only that, Smith reminds us, but the boxcutters the hijackers apparently used as weapons were legal at the time. But even if boxcutters had been prohibited, "They could have made knives out of anything. Ballpoint pens would probably have sufficed. They were not relying on metal blades; they were relying on the element of surprise, exploiting a loophole not in security but in our mindset-our presumptions of how a hijacking would unfold. It was elementary and brilliant, dependent on absolutely no physical weaponry beyond the steely resolve of the perpetrators themselves."

Yet in its haste to "fix" the problem of mediocre screening, the Senate raced ahead, ignorant of the facts, and decided that since screening contractors had "failed," the only solution was to "federalize" the screening process, parachuting an army of federal employees into 450-odd U.S. airports. The Senate bill passed 100-0. Taking a bit more time, and actually listening to evidence, the House took a different approach. Under the leadership of Aviation Subcommittee Chair John Mica (R, FL), they learned that there were only two other countries that delegated passenger screening to airlines, as an unfunded mandate-Bermuda and Canada. Nearly every country in Europe made airports responsible for screening, under national government supervision. And already, as of 2001, nearly all major airports in Europe used private security firms under some kind of "performance contracting" model. The GAO reported on these practices in a 2001 report.

The resulting House bill (properly) removed screening from the airlines and gave it to the airports, under federal supervision and allowing for European-style performance contracting. Both airport trade associations (AAAE and ACI-NA) supported the House bill, which passed 286-139. But when the Bush White House admitted that it would sign a final bill along Senate lines, the House conference committee negotiators had the ground cut out from under them, and we ended up with the TSA as the airport screening provider (apart from a small opt-out program). Canada, by contrast, created a new entity for airport security but built it around performance contracting with private security companies.

Thus, the TSA's takeover of airport screening was based on a mistaken belief that screening failures-rather than intelligence failures-- allowed the 9/11 attacks to succeed. We are still living with the consequences of that mistake.

As you know from recent news reports, the TSA has begun a pilot program to expand the use of its growing corps of Behavior Detection Officers. Under the new program at Boston's Logan Airport, instead of just observing passengers randomly and singling out a few for questioning, BDOs in Terminal A will systematically engage waiting passengers in brief conversations, watching for signs of nervousness as indicated by avoidance of eye contact or facial "micro-expressions." For the pilot program, 70 BDOs (all with college degrees) have undergone a four-day classroom course and 24 hours of on-the-job experience prior to being turned loose on the travelers waiting to be screened.

In May 2010, the GAO issued issued a critical report on the existing BDO program, pointing out that the theoretical basis for it was practically non-existent. Citing a detailed 2008 report from the National Research Council of the National Academy of Sciences, GAO advised Congress that "a scientific consensus does not exist on whether behavior detection can be reliably used for counterterrorism purposes." GAO also noted that after having been in operation for several years, the BDO program had failed to identify a single would-be terrorist at an airport. Moreover, GAO analysis found that at least 16 individuals allegedly involved in six terrorist plots later foiled by law enforcement agencies had passed through eight airports where the BDOs had been operation at the time. Yet none of them had been spotted by BDOs as suspicious.

On April 6, 2001, GAO's Stephen Lord testified before the House Science Committee's subcommittee on investigations and oversight about the TSA's (and parent agency DHS's) response to its 2010 report. (GAO-11-461T on the GAO website)DHS's Science & Technology Directorate has contracted with the American Institutes for Research to conduct a validation study of the BDO program, but to the best of my knowledge, this study has not been released, though it was supposed to have been completed by the end of April. From the wording of his testimony, it appears that Lord does not consider this an "independent assessment" of the program. He also pointed out that the data needed to conduct such an assessment had not been systematically collected during the program's three years in operation, such that "meaningful analyses could not be conducted to determine if there is an association between certain behaviors and the likelihood that a person displaying certain behaviors would be referred to a law enforcement officer or whether any behavior or combination of behaviors could be used to distinguish deceptive from non-deceptive individuals."

In other words, the scientific basis for the entire BDO program is still non-existent. Consequently, Lord made a modest suggestion: "Congress may wish to consider limiting program funding pending receipt of an independent assessment." Merely freezing the program at 2010 levels would save $20 million per year or $100 million over five years. And when the validation is completed, "Congress may also wish to consider the study's results-including those on the program's effectiveness in using behavior-based screening techniques to detect terrorists in the aviation environment-in making future funding decisions regarding the program."

What a thought! Insist on evidence before making policy? Not a chance. As reported previously in this issue, the Senate Appropriations homeland security subcommittee voted this week to add 174 more BDOs.

Trusted Traveler-a First Step Toward Risk-Based Security

The idea of a Trusted Traveler program has made sense to me ever since I read the article "E-Z Pass for Aviation," by Michael E. Levine and Richard Golaszewski, in the November/December 2001 issue of Airports magazine. The idea that pre-vetted passengers (e.g., those with a federal security clearance) could be exempted from much of the checkpoint security hassles seemed pretty obvious. Since the overwhelming majority of those who fly are not a threat, it makes sense to devote more resources to those more likely to be a threat. Better pre-screening should be able to identify both higher-risk passengers (based on intelligence information, as incorporated in watch lists) and lower-risk passengers (based on background checks), leaving a group of occasional travelers in the middle, for intermediate levels of screening. The idea would be to refocus airport security on keeping bad people off planes, rather than bad objects.

The idea was sound enough that Congress included it in the 2001 ATSA legislation, yet factions within TSA have always held back from implementing what Congress intended. The failed Registered Traveler program, for example, did not offer any reductions in checkpoint hassle-in large part because the TSA itself did not submit the application materials to the FBI for the intended criminal history background check. Without that reduced hassle factor, far fewer frequent flyers were willing to pony up the $100-200 annual fee charged by authorized RT companies.

All this seems to have changed under TSA Administrator John Pistole, who has promised a real Trusted Traveler program, the first phase of which will get under way this fall for selected Delta frequent flyers at Atlanta and Detroit and American frequent flyers at DFW and Miami. Pistole has given speeches and interviews all year long explaining Trusted Traveler as the first step toward risk-based security (which is now becoming known as RBS). So after championing the idea for nearly a decade, I'm pleased to see if finally getting under way.

However (you knew there was going to be a however, didn't you?), I must remind you that the devil is always in the details. Bits and pieces that I've picked up in conversations and emails with various security people over the last several months have raised questions about how TSA is conceiving the program. One source relayed a conversation with TSA officials suggesting that the program would be "less a trusted traveler than a trusted ticket." The idea would be that TSA software would review the travel information of all the passengers on each flight, whether there would be an air marshal on board, etc. and make a determination near the departure date whether the TT member would get expedited screening, that fact being embedded in the bar code printed on the passenger's boarding pass. Under this model, travelers wouldn't know from one trip to the next what kind of processing they could expect, and would probably still have to get to the airport early enough for the long lines of regular checkpoint processing.

In an Aug. 23rd interview with Travel Weekly, Pistole was asked the question, "If you are a member of the program, can you go to the airport knowing that you are always going to get the expedited measure?" His reply was ambiguous: "Not 100 percent," he said. "There's a possibility and a probability as the system matures, but it won't be a guarantee because I don't want terrorists to start flying a lot and being able to game the system." That could just be referring to a small random probability that a few TT members each day will be selected for ordinary screening-but it could also mean the alternative suggested in the previous paragraph.

I'm also worried that the TT program as currently conceived may not involve a background check. In the same interview, Pistole distinguished between existing risk-based frequent traveler programs for border crossing-Global Entry and Nexus-and Trusted Traveler. Those programs, he said, "require a background check, a criminal history check, fingerprints and perhaps other biometrics." That certainly implies a lower standard for TT, which seems inconsistent in terms of overall DHS risk-based policy. Frequent flyer and other travel history data are certainly useful indicators of lower risk, but since DHS requires background checks and biometrics for its other programs, why not also require them for Trusted Traveler? TSA itself requires such background checks for several million airport employees who need regular access to the secure areas of airports, so the logistics of handling large numbers of applicants should not be an obstacle.

The fact that the initial Trusted Traveler program will not charge a fee also suggests that TSA will not be paying for background checks or biometric ID cards (to verify that the person who shows up at the checkpoint is the same one who was pre-vetted). Yet we know from a recent survey of air travelers, conducted by the U.S. Travel Association last spring, that 45% of all travelers said they would pay $100-150 to enroll in such a program (and that 75% of business travelers would be willing to pay something for the convenience and time saving).

Once TSA gets beyond the initial pilot program, I hope Pistole and his team will consider the merits of a more robust Trusted Traveler program, open not just to high-status airline frequent flyer members (and those with security clearances) but to anyone who can pass the same kind of background checks used for other DHS risk-based programs and for airport employees. And because a biometric ID card is essential to ensure that the person presenting the boarding pass is actually the person who has been pre-vetted, a biometric ID should also be part of the permanent program.

Paying for Airport Security

Currently there are two dedicated taxes (called "fees") that help pay for the TSA's aviation security activities. One is the passenger security fee, included in the ticket price. The other is the aviation security infrastructure fee (ASIF) paid by the airlines. Together, they offset $2.1 billion of TSA's $5.2 billion (gross) aviation security budget-about 40%. That percentage is lower if you include the $0.8 billion cost of the Federal Air Marshals (FAM) program in the aviation security total, as one should. On that basis, the aviation industry covers 35% of what TSA spends on aviation security. (All numbers here are for FY 2010, as enacted.)

Both of these fees have been in the news recently. The Administration has proposed a three-year phased-in increase in the passenger security fee, upping it initially by 60% in FY 2012 and by 120% as of FY 2014. The airline fee was the subject of a long legal battle, resolved in July by the US Court of Appeals in DC. ASIF is intended to have the airlines pay to TSA the same amount they themselves were spending on airport security prior to 9/11. There has been a long-running dispute about how much that really was, with the airlines objecting that numbers from 2000 overstate the case, because in those pre-9/11 days many non-passengers went through screening to see off departing passengers or to meet and greet arriving ones. Dueling studies by outside consultants, based on different estimates of non-passenger screening, produced a difference of $115 million per year in what the airlines would owe-either $305 million or $420 million. The Court of Appeals ruled in favor of TSA.

Assuming the airlines don't appeal to the Supreme Court, and their new number stays around $420 million, and that Congress goes along with the Administration's passenger fee increase request, by FY 2014 the passenger security fee would be bringing in about $4.6 billion a year. Adding that to the airline fee produces a total of about $5 billion. If the TSA budget remained at present levels (as the House is trying to arrange), that would mean fees from airlines and passengers would cover about 83% of TSA's aviation security spending.

Needless to say, the airlines have been urging Congress not to increase the passenger security fee, pointing out that ticket prices already include a number of aviation excise taxes (though they generally don't make clear that most of this money goes to the Aviation Trust Fund for investments in air traffic control and airports to better serve airlines and their passengers, and another chunk goes directly to airports in the form of Passenger Facility Charges, used for improvements in runways and terminals).

The broader question we ought to ask is this: From a public policy standpoint, who should be paying for aviation security? Airlines the world over make the argument, which has some merit, that the terrorist threat to air travel is akin to a military threat, so therefore-just as with national defense-general taxpayers should foot the bill for aviation security. But as I discovered several years ago in researching this question for the OECD's International Transport Forum, governments generally don't buy that argument. In Canada, 100% of the costs of aviation security are met via air security fees. After last year's increases, those fees range from C$7.50 (one-way domestic flight) to C$25 (one-way international flight). In Europe, nearly all security costs are recovered from airlines and passengers, though the specifics vary by country. Thus, the United States is the only major western country in which general taxpayers pay for two-thirds of the cost of aviation security.

Although my airline friends will disagree, I've concluded that the cost of aviation security measures is somewhat analogous to insurance. If you engage in risky behavior (drive a sports car, live in a beach house, etc.) you expose yourself to higher risks, and you rightly pay somewhat more for the relevant kind of insurance. Likewise, while it's not the fault of air travelers or airlines that aviation is a high-profile terrorist target, the fact is that it is. So from a resource-allocation standpoint, I think a sector-specific user-tax approach is less bad than having general taxpayers pay for this.

There is also a pragmatic advantage to this being the policy. If TSA were funded entirely by general taxpayers, the cost per taxpayer would be so small that taxpayers would not be concerned about bloated TSA budgets or non-cost-effective programs. But with airlines and their passengers paying the bills, there are strong constituencies for holding TSA accountable for results, pushing Congress to mandate risk-based policies, cost-benefit analysis, and all the rest.

News Notes

Bids Submitted for Madrid and Barcelona Privatizations

Despite political and economic uncertainties in Spain, six teams submitted bids for 20-year concessions to operate Madrid-Barajas and Barcelona El Prat airports on September 6th.Five of the six teams bid for both airports; among the major firms involved are Ferrovial, Changi Airports Group, Fraport, Aeroports de Paris, and Abertis. The estimated value of Madrid-Barajas is $5.2 billion, and for Barcelona El Prat is $2.3 billion. State aviation agency AENA is offering 90.05% of each airport company.

12 Teams Seek San Juan, Puerto Rico Airport

The Puerto Rico Public-Private Partnerships Authority and the Puerto Rico Airports Authority have received 12 responses to their request for qualifications from teams hoping to lease and upgrade Luis Munoz Marin International Airport in San Juan. Potential bidders include ASUR, OMA, Macquarie, Ferrovial, Fraport,GMR Infrastructure, and GE Capital Aviation. The lease is expected to be 40 to 50 years. Details are available at www.p3.gov.pr/?page_id=960&lang=en.

Noibi Pleads Guilty to Stowing Away

The Nigerian-American who used fake or stolen boarding passes to board several U.S. flights earlier this year, pleaded guilty in U.S. District Court in Los Angeles to one count of stowing away on a vessel or aircraft. Olajide Noibi faces up to five years in prison and a fine of up to $250,000. A separate count of using false documents to enter the secure area of LAX was dropped under a plea bargain. Still unanswered is the question of how Noibi several times managed to get through TSA security screening with false documents.

Over 32,000 MANPADs Destroyed, Says State Department

Since 2003, the U.S. government has found and destroyed over 32,500 "excess, loosely secured, illicitly held, or otherwise at-risk" man-portable air defense systems in more than 30 countries. Over a million MANPADs are estimated to have been produced, and an unknown number remain in illicit hands. Since 1975, 40 hits on civilian aircraft have led to 28 crashes and more than 80 deaths-mostly in developing countries. The two most recent attacks were in Iraq in 2003 (in which the plane landed safely) and in Somalia in 2007 (in which the plane crashed, with 11 deaths).

Mixed News on Body Scanners

In mid-July the U.S. Court of Appeals for the DC Circuit rejected a constitutional challenge to airport body scanners, on grounds that air travelers have the alternative of a pat-down. On July 30th, German federal police concluded, based on a 10-month trial of body scanners at Hamburg airport, that the scanners are too inaccurate for regular use. In Australia, Sydney and Melbourne airports are testing a new type of scanner based on TeraHertz waves given off by people and objects; they are being used only for secondary screening of potentially high-risk passengers.

Chicago Requests Another Midway Extension

On August 1st the city of Chicago asked for yet another extension of its slot in the federal Airport Privatization Pilot Program. Dow Jones Newswires reports that "the new request could signal a change of heart by new Chicago Mayor Rahm Emanuel, who previously has come out against the Midway privatization effort."

Port Authority Receives Airport Expansion Ideas

The Port Authority of New York and New Jersey has received numerous responses to its request for comments on possible expansion of LaGuardia, Kennedy, and Newark airports, the worst in the nation for delays and cancellations. The request cited a detailed study released in January by the Regional Plan Association, which made a serious case for expanding the airports' capacity.

St. Louis Cargo Proposal Under Fire

The proposal for state and federal taxpayers to subsidize a massive air cargo hub at St. Louis's Lambert International Airport, which I wrote about last issue, has started to attract critical scrutiny. In July, St. Louis Today interviewed Greg Lindsay, co-author of the recent book Aerotropolis, who said, bluntly, "I don't think it will work."The free-market think tank, the Show Me Institute, trashed the proposal as a boondoggle. And in mid-August, the Kansas City Star editorialized against it, in a piece headlined "A Huge, Questionable Taxpayer Subsidy for Aerotropolis."

BAA May Appeal Forced Airport Sale

In mid-July, the U.K. Competition Commission re-affirmed its 2009 decision that privatized airport operator BAA must sell Stansted airport and one of its two Scottish airports, to un-do a near-monopoly situation created when the airports operator was privatized as a single company (rather than selling off the individual airports). A week later BAA announced that it was considering an appeal, which it has until Sept. 19 to file. Last year BAA sold Gatwick airport, leaving it with Stansted and Heathrow in the London air travel market.

Quotable Quotes

"Performance measures for TSA, it seems, have yet to be developed, even though it is now a decade since 9/11. For example, the agency has publicly stated that its top goal is to be able to detect explosives reliably, something TSA has yet to achieve. How is this considered when TSA's performance is evaluated? It is entirely appropriate for Congress to have all TSA goals clearly identified in detail, kept up-to-date, and then determine either achievement of such goals or progress toward them, if any. Only in this way can a beginning be made on judging how well TSA is performing. Only in this way can the relationship between TSA costs and benefits at least be approximated after-the-fact. In turn, the knowledge and insights obtained can be deployed to develop cost/benefit expectations for new TSA initiatives."

"I think there may be a point in the not too distant future where we see AIP [Airport Improvement Program grants] go away. So we have to start taking a new look at the way we finance our capital projects; we don't need to depend on handouts from anybody. . . . PFCs are local revenue. And the government should step out of the role of dictating to local communities what they need to be doing to facilitate their needs with local revenues. De-federalize as much as we can and put this back at the local level."

"Last week's big story was about terrorists planning to blow up airplanes using surgically implanted explosives. . . . Playing straight into the hands of the contractors and lobbyists, the press and pundits are asking all the wrong questions. The buzz is all about ways of jiggering airport security. How can we upgrade our scanners and detectors in order to meet this 'new level of threat'? We're already peering through people's pants. Are full-on X-rays and CAT scans next? Nobody will admit what's obvious. First, that we cannot protect ourselves from every conceivable threat. And equally important, that this isn't an issue for airport security at all. As I've been emphasizing for years, the real job of keeping terrorists away from planes does not belong to guards at the checkpoint. It is higher up the chain-to the people at the FBI, Interpol, the CIA, and elsewhere among law enforcement and intelligence ranks. Plots need to be foiled in the planning stage. Once a saboteur has made it to the terminal, chances are it's too late-he or she hasfigured out a means of getting through."

"I don't think anybody was really comfortable with the airline-provided security contractors that existed before 9/11. Then came this huge political upsurge by the government which led to the creation of the TSA. I think the industry went from one extreme to another without pausing in the middle. There was a missed opportunity to have airport operators move into that line of work; they already had substantial law enforcement responsibilities, and many had their own police departments."

"We're beginning to see pushback, where people are almost becoming adversaries of the security systems that are put in place to protect them. Now that's a good way to destroy a security system, and we have to address that as an issue. . . . We are throwing down a billion dollars to deploy body scanners at airports across the country. The terrorists invested a few thousand. We throw down a billion. . . . We're going to lose that battle in the long run."

"The TSA is in a losing battle. So here's a brighter idea. The government could recognize that it's impossible to screen passengers (and cargo) for every type of banned material. If a terrorist plot has gone undiscovered by the world's intelligence agencies, by the U.S. military, by the Federal Bureau of Investigation, and by local law enforcement, the chance is high that the plotters are also more sophisticated than the TSA. It's better to accept some level of risk, minimize the TSA's ever more intrusive disruptions to American life, and redirect some of its enormous budget to agencies that can eliminate terrorist plots before they mature to the point that conspirators are boarding planes."